bind9 在一台服务器上因 dnssec 验证失败,但在另一个网络上的相同服务器上却没有失败

bind9 在一台服务器上因 dnssec 验证失败,但在另一个网络上的相同服务器上却没有失败

我正在尝试在基于云的 VPS 上设置递归 DNS 服务器。如果我设置 dnssec 验证 否它工作正常,但如果我设置dnssec 验证自动我从 dig 获得状态:SERVFAIL。但是,当我使用确切地相同的配置文件,它适用于dnssec 验证自动

两者都在 Ubuntu 18.04.3 上运行 BIND 9.11.3。我已将 named.conf.options 精简为:

options {
    directory "/var/cache/bind";
    recursion yes;
    allow-transfer { none; };
    dnssec-validation auto;
    auth-nxdomain no;    # conform to RFC1035
    listen-on { any; };
    listen-on-v6 { none; };
};

named.conf.local 为空,其他均为默认设置。在工作服务器上,当我发出挖掘 apple.com @localhost我得到:

; <<>> DiG 9.11.3-1ubuntu1.9-Ubuntu <<>> apple.com @localhost
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7616
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 4, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: f987cd320c5efed7576fef585da668961c4f29e79a6cfa7b (good)
;; QUESTION SECTION:
;apple.com.                     IN      A

;; ANSWER SECTION:
apple.com.              3600    IN      A       17.142.160.59
apple.com.              3600    IN      A       17.178.96.59
apple.com.              3600    IN      A       17.172.224.47

;; AUTHORITY SECTION:
apple.com.              172800  IN      NS      c.ns.apple.com.
apple.com.              172800  IN      NS      b.ns.apple.com.
apple.com.              172800  IN      NS      d.ns.apple.com.
apple.com.              172800  IN      NS      a.ns.apple.com.

;; Query time: 401 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Oct 15 19:47:18 CDT 2019
;; MSG SIZE  rcvd: 181

但是在出现故障的服务器上使用相同的命令我得到:

; <<>> DiG 9.11.3-1ubuntu1.9-Ubuntu <<>> apple.com @localhost
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 50881
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 774ab4aac2a012bade665c985da668b77508d1e7bdf048f2 (good)
;; QUESTION SECTION:
;apple.com.                     IN      A

;; Query time: 4000 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Oct 15 19:47:51 CDT 2019
;; MSG SIZE  rcvd: 66

在故障服务器的 /var/log/syslog 中我看到:

Oct 15 20:01:17 ns0 named[31690]: validating com/DS: no valid signature found
Oct 15 20:01:17 ns0 named[31690]: no valid RRSIG resolving 'com/DS/IN': 199.7.91.13#53
Oct 15 20:01:17 ns0 named[31690]: validating com/DS: no valid signature found
Oct 15 20:01:17 ns0 named[31690]: no valid RRSIG resolving 'com/DS/IN': 199.7.83.42#53
Oct 15 20:01:17 ns0 named[31690]: validating com/DS: no valid signature found
Oct 15 20:01:17 ns0 named[31690]: no valid RRSIG resolving 'com/DS/IN': 202.12.27.33#53
Oct 15 20:01:17 ns0 named[31690]: validating com/DS: no valid signature found
Oct 15 20:01:17 ns0 named[31690]: no valid RRSIG resolving 'com/DS/IN': 192.5.5.241#53
Oct 15 20:01:17 ns0 named[31690]: validating com/DS: no valid signature found
Oct 15 20:01:17 ns0 named[31690]: no valid RRSIG resolving 'com/DS/IN': 192.58.128.30#53
Oct 15 20:01:18 ns0 named[31690]: validating com/DS: no valid signature found
Oct 15 20:01:18 ns0 named[31690]: no valid RRSIG resolving 'com/DS/IN': 192.36.148.17#53
Oct 15 20:01:18 ns0 named[31690]: validating com/DS: no valid signature found
Oct 15 20:01:18 ns0 named[31690]: no valid RRSIG resolving 'com/DS/IN': 198.41.0.4#53
Oct 15 20:01:18 ns0 named[31690]: validating com/DS: no valid signature found
Oct 15 20:01:18 ns0 named[31690]: no valid RRSIG resolving 'com/DS/IN': 198.97.190.53#53
Oct 15 20:01:18 ns0 named[31690]: validating com/DS: no valid signature found
Oct 15 20:01:18 ns0 named[31690]: no valid RRSIG resolving 'com/DS/IN': 193.0.14.129#53
Oct 15 20:01:18 ns0 named[31690]: validating com/DS: no valid signature found
Oct 15 20:01:18 ns0 named[31690]: no valid RRSIG resolving 'com/DS/IN': 192.33.4.12#53
Oct 15 20:01:18 ns0 named[31690]: validating com/DS: no valid signature found
Oct 15 20:01:18 ns0 named[31690]: no valid RRSIG resolving 'com/DS/IN': 192.112.36.4#53
Oct 15 20:01:18 ns0 named[31690]: validating com/DS: no valid signature found
Oct 15 20:01:18 ns0 named[31690]: no valid RRSIG resolving 'com/DS/IN': 192.203.230.10#53
Oct 15 20:01:18 ns0 named[31690]: validating com/DS: no valid signature found
Oct 15 20:01:18 ns0 named[31690]: no valid RRSIG resolving 'com/DS/IN': 199.9.14.201#53

如果我修改配置说dnssec 验证否;然后故障的服务器开始工作。

关于如何开始调试这个有什么想法吗?

编辑:我已经验证(使用 md5sum) /etc/bind/bind.keys 在两个服务器上完全相同。

EDIT2:打开查询日志后,我得到了以下额外的日志行:

 [...] query failed (SERVFAIL) for apple.com/IN/A at ../../../bin/named/query.c:8402

相关内容